Bugs in Moovit gave hackers free rides and access to personal information

Share via:

A security researcher has discovered vulnerabilities in the popular transportation app Moovit that could have allowed hackers to take control of user accounts, gain free rides, and access personal information, according to recent reports.

Exploitation of Vulnerabilities and Collection of Sensitive Data

Omer Attias, a security researcher at SafeBreach, identified three critical vulnerabilities in the Moovit app. These vulnerabilities enabled him to gather registration data from new Moovit users worldwide, including sensitive information such as cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Even more concerning, these bugs could have potentially allowed attackers to hijack user accounts and use their credit cards to pay for unauthorized rides.

Impersonation and Access to Personal Data

Attias explained the extent of the security flaws: “We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets. And additionally, we can access all of their personal information.” This could have resulted in a stealthy attack that went unnoticed by the victims, except for unexpected credit card charges.

Worldwide Impact and Rapid Response

Moovit is an Israeli startup that offers route information and public transportation maps. The vulnerabilities Attias discovered could have had a global impact, as Moovit operates in 3,500 cities across 112 countries. Despite the potential severity, Moovit assured that no malicious hackers exploited the vulnerabilities. The company confirmed that Attias reported the issues in September 2022, and they were promptly addressed and fixed.

Moovit’s Response and No Evidence of Data Breach

Moovit spokesperson Sharon Kaslassi emphasized that the vulnerabilities had been rectified and that no customer data had been accessed by malicious actors. Kaslassi clarified that the relevant ticketing service tied to the vulnerabilities was active only in Israel. Attias and his team countered, stating that the vulnerabilities could have potentially affected all customers, regardless of location. The situation underscores the importance of rigorous security testing and swift response to potential threats in the digital age.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Sarthak Luthra
Sarthak Luthra
Hey, there! I am the tech guy. I get things running around here and I post sometimes. ~ naam toh suna hi hoga, ab kaam bhi dekhlo :-)

Popular

More Like this

Bugs in Moovit gave hackers free rides and access to personal information

A security researcher has discovered vulnerabilities in the popular transportation app Moovit that could have allowed hackers to take control of user accounts, gain free rides, and access personal information, according to recent reports.

Exploitation of Vulnerabilities and Collection of Sensitive Data

Omer Attias, a security researcher at SafeBreach, identified three critical vulnerabilities in the Moovit app. These vulnerabilities enabled him to gather registration data from new Moovit users worldwide, including sensitive information such as cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Even more concerning, these bugs could have potentially allowed attackers to hijack user accounts and use their credit cards to pay for unauthorized rides.

Impersonation and Access to Personal Data

Attias explained the extent of the security flaws: “We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets. And additionally, we can access all of their personal information.” This could have resulted in a stealthy attack that went unnoticed by the victims, except for unexpected credit card charges.

Worldwide Impact and Rapid Response

Moovit is an Israeli startup that offers route information and public transportation maps. The vulnerabilities Attias discovered could have had a global impact, as Moovit operates in 3,500 cities across 112 countries. Despite the potential severity, Moovit assured that no malicious hackers exploited the vulnerabilities. The company confirmed that Attias reported the issues in September 2022, and they were promptly addressed and fixed.

Moovit’s Response and No Evidence of Data Breach

Moovit spokesperson Sharon Kaslassi emphasized that the vulnerabilities had been rectified and that no customer data had been accessed by malicious actors. Kaslassi clarified that the relevant ticketing service tied to the vulnerabilities was active only in Israel. Attias and his team countered, stating that the vulnerabilities could have potentially affected all customers, regardless of location. The situation underscores the importance of rigorous security testing and swift response to potential threats in the digital age.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

Sarthak Luthra
Sarthak Luthra
Hey, there! I am the tech guy. I get things running around here and I post sometimes. ~ naam toh suna hi hoga, ab kaam bhi dekhlo :-)

More like this

Accenture quarterly earnings: Accenture quarterly numbers point to strong...

India’s $254-billion technology outsourcing industry, key to helping...

Securitize proposes BlackRock BUIDL fund as collateral for Frax...

According to RWA.XYZ, BlackRock's US dollar Institutional Digital...

iPhone 17 Air suddenly makes a lot more sense...

Last week, The Wall Street Journal reported that...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!